Hello,
Jan Engelhardt a écrit :
On May 10 2007 14:51, Michael Ransburg wrote:
let's say someone is downloading a website using http/tcp/ip. This
website is very large, i.e., there will be many IP packets in this TCP
stream.
There may even be many different TCP connections.
I know that there is a certain phrase at the top of the
website, let's say "foobar", which will therefore be part of the first
IP packet of this TCP stream.
Do you mean the page title enclosed in the <title> tag, which most
browsers conveniently display in the title bar ?
No, it is not part of the first IP packet. The first packets in a TCP
stream are SYN packets used for synchronisation, which contain no TCP data.
The first return packet is not guaranteed to carry the first byte of the HTML
page.
Don't you mean "the first return packet *is* guaranteed *not to* carry
the first byte of the HTML page", or "the first return TCP *segment* is
not guaranteed to carry the first byte of the HTML page" ? ;-)
If the HTTP header is "big enough"
And/or the HTML header contents before the <title> tag is big enough.
and the MTU is "small enough",
then it is likely that the packet is split before foobar.
[...]
So what I want to say in a rule is:
If the first (or simply "a") IP packet of a TCP stream contains a
given phrase, then please filter (match) all IP packets which belong
to this TCP stream.
Can this be done using iptables / netfilter?
-m string --string foobar -j CONNMARK --set-mark 1
-m connmark --mark 1 -j DROP/REJECT/whatever.
Does this work if the string is split in two consecutive segments ?
